Production Infrastructure — Live

Mark's AI Platform
Infrastructure

A fully self-hosted, production-grade technology platform running 96 services on a single dedicated server — built for scale, owned outright.

0
Live Services
128GB
Server RAM
3.4TB
NVMe Storage
0
CPU Threads
3
Live Clients
Scroll to explore
01 — Hardware

Dedicated Metal. No Shared Resources.

Hetzner dedicated server in Falkenstein, Germany (FSN1-DC7). Cost-locked at €97.70/month. This is enterprise-grade compute at a fraction of cloud pricing.

🖥️
Processor
AMD Ryzen 9 5950X
16 cores / 32 threads · 3.4–4.9 GHz boost · 7nm Zen 3
28% avg load72% headroom
🧠
Memory
128 GB ECC DDR4
Error-correcting — data integrity at all times · 24 GB in use
24 GB used101 GB available
💾
Storage
2 × 3.84 TB NVMe
Datacenter-class SSDs · 3.4 TB usable · 150 GB used (5%)
150 GB used3.1 TB free
🌐
Network
1 Gbps Symmetric
Unlimited bandwidth · IPv4 + IPv6 · IP: 5.9.74.23 · DE-CIX peering
Typical: ~80 Mbps920 Mbps headroom
02 — Architecture

Layered. Declarative. Recoverable.

Every layer has a single job. Traffic flows from the internet edge inward through deterministic layers — nothing is improvised, everything is committed to git.

Internet
🌍
Cloudflare
DDoS · CDN · DNS · WAF
📄
CF Pages
Static site hosting · Free unlimited
🔒
Tailscale
Zero-trust VPN overlay
TLS terminated · traffic proxied to origin
Proxy
🔀
Caddy Reverse Proxy
Automatic TLS (Let's Encrypt + Cloudflare DNS-01) · 40+ vhosts · Security headers · Bot scan protection · Internal router on :7070
routed by hostname → backend service
Services
❄️
NixOS Systemd
First-party services · Atomic · Sandboxed
📦
Podman Quadlets
Third-party apps · Rootless containers
🔐
Authentik SSO
Forward auth · OIDC · Google SSO
persistent storage via Unix sockets, loopback, or named volumes
Data
🐘
PostgreSQL
Primary database · PgBouncer pool
Redis
Queue · Cache · Sessions
🗄️
MinIO
S3-compatible object store
🔍
Qdrant
Vector DB · AI embeddings
📊
ClickHouse
Analytics OLAP · Plausible backend
all config in git · secrets via sops-nix
Config
📂
Git (Bare Repos)
/srv/git/exponent-stack/ · Source of truth
🔑
sops-nix
Age-encrypted secrets · Committed safely
❄️
Nix Flake
Reproducible OS · nix/hosts/hetzner/
03 — Services

96 Services. One Server. Zero Compromise.

Every service is declaratively configured, health-monitored, and automatically restarted on failure. Browse by category.

🐘
PostgreSQL 16
NixOS
Primary relational database for all platform services. PgBouncer connection pooling. Multiple databases per service.
Redis
NixOS
In-memory store for queues (BullMQ), caching, sessions, and pub/sub messaging across all services.
🗄️
MinIO
NixOS
Self-hosted S3-compatible object storage. Handles client site assets, uploads, and binary file storage. S3 API compatible.
🔗 minio.platform.manglr.com
🔀
Caddy
NixOS
Reverse proxy handling 40+ virtual hosts with automatic TLS. Zero manual certificate management. Cloudflare DNS-01 for wildcards.
🚦
PgBouncer
NixOS
PostgreSQL connection pooler. Prevents connection exhaustion under high concurrency. Transaction-mode pooling.
📊
ClickHouse
Quadlet
Columnar OLAP database powering Plausible Analytics. Handles billions of analytics events with sub-second queries.
🔍
Qdrant
Quadlet
Vector database for AI embeddings and semantic search. 1,882+ indexed documents. Voyage-3-large embeddings.
🔄
Nango
Quadlet
OAuth credential manager. Handles third-party API integrations, token refresh, and secure credential storage.
🔗 nango.platform.manglr.com
🦙
Ollama
NixOS
Local LLM inference server. Runs open-source models directly on the server hardware. No API costs for local models.
💬
LibreChat
Quadlet
Multi-model AI chat interface. Connects to Claude, GPT-4, Gemini, and local Ollama models. Authentik-gated for Partner tier.
🔗 chat.platform.manglr.com
🧠
Knowledge MCP
NixOS
AI knowledge base server. Qdrant + Voyage embeddings. 1,882 documents searchable by semantic similarity in milliseconds.
🔗 knowledge.platform.manglr.com
🔬
Deep Research MCP
NixOS
AI-powered deep research tool. Multi-source synthesis, citation tracking, and long-form research generation.
🔗 research-mcp.platform.manglr.com
🎭
Editorial Engine
NixOS
AI-powered content generation for client websites. Manages tone, brand voice, and multi-format content output.
🌐
Platform MCP
NixOS
37-tool Model Context Protocol server. Claude AI's direct interface to the entire platform — infrastructure control via AI.
🔗 mcp.platform.manglr.com
🤖
Task Router
NixOS
OpenRouter gateway. Routes AI workloads to the optimal model (Claude, GPT, Gemini) based on task type and cost.
🔗 router.platform.manglr.com
🎵
YouTube Transcriber
NixOS
Automatic transcription pipeline. Converts YouTube content to structured text for knowledge base ingestion.
🔗 transcriber.platform.manglr.com
🔵
Matrix Synapse
Quadlet
Self-hosted Matrix homeserver. Federated, end-to-end encrypted messaging. @mark:marksworkshop.co.uk identity.
🔗 matrix.marksworkshop.co.uk
💻
Element Web
Quadlet
Matrix web client. Full-featured E2EE chat, file sharing, voice/video calls. Runs on self-hosted Synapse.
🔗 element.marksworkshop.co.uk
💬
WhatsApp Bridge
Quadlet
mautrix-whatsapp bridges WhatsApp into Matrix. All WhatsApp conversations available in Element with full history.
📱
Signal Bridge
Quadlet
mautrix-signal bridges Signal into Matrix. Encrypted Signal messages accessible through the Matrix ecosystem.
🎧
Chatwoot
Quadlet
Unified customer support inbox. Live chat, email, WhatsApp — all in one dashboard. Client-facing support tooling.
🔗 support.platform.manglr.com
🎥
Jitsi Meet
NixOS
Self-hosted video conferencing. Full Jitsi stack (Prosody, Jicofo, JVB). No accounts needed. No third-party dependencies.
🔗 meet.platform.manglr.com
🔔
ntfy
NixOS
Push notification server. Platform-wide alerting to mobile and desktop. Used by monitoring, AI agents, and system events.
🔗 ntfy.platform.manglr.com
📧
Listmonk
Quadlet
Newsletter and mailing list manager. Self-hosted Mailchimp alternative. Handles all platform email campaigns.
🔗 listmonk.platform.manglr.com
Vikunja
NixOS
Project management and task tracking. CalDAV sync to iPhone. Sole PM tool since Plane retirement. Claude's operational backbone.
🔗 tasks.platform.manglr.com
📚
Outline
Quadlet
Wiki and SOP library. All platform runbooks, processes, and documentation in one searchable place. OIDC auth via Authentik.
🔗 wiki.platform.manglr.com
☁️
Nextcloud
NixOS
Self-hosted cloud storage and productivity suite. Files, contacts, calendar. Google Drive replacement with full data ownership.
🔗 cloud.manglr.com
⚙️
n8n
Quadlet
Workflow automation platform. Connects services, automates repetitive tasks, builds integrations without code.
🔗 n8n.platform.manglr.com
📝
Formbricks
Quadlet
Open-source form and survey builder. Handles client onboarding flows, feedback collection, and research surveys.
🔗 forms.platform.manglr.com
📄
Stirling PDF
Quadlet
Web-based PDF toolkit. Merge, split, compress, OCR, convert. All processing happens server-side — no cloud upload.
🔗 pdf.platform.manglr.com
✉️
MySigMail
NixOS
Email signature generator. Custom-branded, per-user signatures stored in PostgreSQL. Authentik-gated client tool.
🔗 signatures.marksai.co.uk
🏠
Home Assistant
NixOS
Home automation hub. Hive heating control, Google Calendar integration. Runs on the same dedicated server.
🔗 ha.platform.manglr.com
📡
Prometheus
NixOS
Metrics collection and time-series storage. Scrapes all services every 15s. Foundation of the observability stack.
🔗 prometheus.platform.manglr.com
📊
Grafana
NixOS
Dashboards and visualization. 10+ custom dashboards for server health, service metrics, and business KPIs.
🔗 grafana.platform.manglr.com
📋
Loki
NixOS
Log aggregation. All service logs indexed and queryable. Correlated with metrics for full-stack debugging.
🚨
Alertmanager
NixOS
Alert routing and deduplication. Integrates with ntfy for push notifications. On-call alerting for critical failures.
📈
Netdata
NixOS
High-resolution server vitals. 1-second granularity CPU, memory, disk, network metrics. Real-time performance monitoring.
🔗 netdata.platform.manglr.com
🌐
Plausible Analytics
NixOS
Privacy-first web analytics for all client sites. GDPR-compliant, cookie-free. ClickHouse-backed for sub-second queries.
🔗 analytics.platform.manglr.com
📦
OpenTelemetry
NixOS
Distributed tracing collector. OTEL-instrumented services send traces for end-to-end request visibility.
💓
DMARC Monitor
NixOS
Email authentication monitor. Processes DMARC reports for all domains via Cloudflare Email Routing → custom ingest API.
🔗 dmarc.platform.manglr.com
🛡️
Authentik
Quadlet
Identity Provider and SSO gateway. OIDC/OAuth2 for all internal tools. Google SSO integration. Role-based access control.
🔗 auth.platform.manglr.com
🔑
Vaultwarden
Quadlet
Self-hosted Bitwarden-compatible password manager. All credentials stored locally. Browser extension compatible.
🔗 vault.platform.manglr.com
🚫
fail2ban
NixOS
Intrusion prevention. Auto-bans IPs after failed auth attempts. Protects SSH, Caddy, and all service endpoints.
🔐
sops-nix
NixOS
Age-encrypted secret management. Secrets committed safely to git. Zero plaintext secrets anywhere in the codebase.
🌐
Tailscale
NixOS
Zero-trust WireGuard VPN. Internal services accessible only via Tailnet. Server: 100.120.169.67. No exposed ports for admin tools.
🔒
HSTS + CSP Headers
Caddy
2-year HSTS preload on all domains. Per-vhost Content Security Policy. X-Frame-Options DENY. Referrer-Policy strict. -Server header.
🔎
Audit API + Worker
NixOS
Website quality-assurance engine. Crawl → scan → report pipeline. BullMQ-backed async processing for prospect audits.
🔗 audit.platform.manglr.com
📅
Scheduling Service
NixOS
Go-built booking system. Cal.com replacement with embeddable widget. Handles all client appointment scheduling.
🔗 scheduling.platform.manglr.com
🗂️
Directus CMS
Quadlet
Headless CMS for all client sites. 7 Morven collections, Edinburgh Skyline collections. Content triggers CF Pages deploys.
🔗 cms.platform.manglr.com
🏗️
CI Pipeline
NixOS
Build and deploy orchestration. git push → build → Cloudflare Pages deploy. Manages all client site build lifecycle.
🚩
Feature Flags
NixOS
Runtime feature flag service. Toggle features without deploys. Read endpoints open, write endpoints auth-gated.
🔗 flags.platform.manglr.com
🖥️
Playwright Bridge
NixOS
Headless browser automation MCP. Claude can take screenshots, fill forms, test UIs. Full browser control via AI.
🔗 browser.platform.manglr.com
📦
Deploy Receiver
NixOS
Webhook-driven deployment receiver. Accepts push events, triggers rebuilds and service restarts automatically.
🍕
Food Agent
NixOS
AI grocery intelligence agent. Tesco integration for smart shopping automation. Custom worker with session management.
04 — Live Clients

Three Clients. Live in Production.

All sites are Astro-built static output, deployed to Cloudflare Pages for global CDN delivery — free, unlimited bandwidth, instant cache invalidation.

🧘
Morven Hypnotherapy
tayloredhypnotherapy.com
Live
Astro 5 CF Pages Directus CMS Plausible Scheduling

Full-featured therapist site with 7 Directus CMS collections, Google SSO for the editor, automated slug generation, and Cloudflare Pages deploys triggered by content changes. Booking via the self-hosted scheduling service.

🌿
Akasha
akasha.now
Live
Astro 5 CF Pages Directus CMS Plausible

Clean, modern site with headless CMS integration and Plausible analytics. Cookie-free, GDPR-compliant. Global delivery via Cloudflare CDN.

🏙️
Edinburgh Skyline
edinburghskyline.com
Live
Astro 5 CF Pages Directus CMS MinIO R2 Resend

Photography/media site with R2 object storage for high-res images served from images.edinburghskyline.com, 3 CMS collections, and transactional email via Resend.

Deploy Pipeline
✏️
Content Edit
Directus CMS
Flow Trigger
Action event
🏗️
CF Pages Build
Astro static gen
🌍
Global Deploy
300+ edge nodes
Live
~60s total
05 — Technology Choices

Every Decision is Deliberate.

Nothing here is accidental. Each technology was chosen for a specific reason — performance, cost, control, or long-term maintainability.

Operating System
❄️
NixOS 26.05 (Yarara)
Declarative config = reproducible builds. Atomic rollbacks. Every change is a git commit. No configuration drift. Ever.
Reverse Proxy
🔀
Caddy v2
Automatic TLS without cron jobs or certbot. Cloudflare DNS-01 for wildcards. Config is readable prose vs nginx's cryptic syntax.
Secret Management
🔑
sops-nix + age
Secrets live in git — encrypted with age keys. No vault server to maintain, no external dependency. GitOps-native.
Containerisation
📦
Podman Quadlets (rootless)
Third-party apps run rootless — no daemon, no privilege escalation. Systemd-native lifecycle. Docker API compatible.
Site Framework
🚀
Astro 5
Zero JS by default. Content Layer API. Ships pure HTML to browsers. Perfect Lighthouse scores. Cloudflare Pages compatible.
Edge Hosting
🌍
Cloudflare Pages
Free. Unlimited sites and bandwidth. 300+ edge locations. DDoS protection included. Build minutes: unlimited.
Primary Language
🔷
TypeScript / Node.js
Type safety catches bugs at compile time. Vast ecosystem. Vitest for testing. Consistent across frontend and backend services.
Performance Services
🐹
Go (Golang)
Used for latency-sensitive services (scheduling). Single binary, minimal memory footprint. No runtime dependency.
Primary Database
🐘
PostgreSQL 16
Gold standard relational DB. ACID compliant. JSON support. Full-text search. pgvector extension for AI embeddings.
Version Control
📂
Bare Git Repos
Self-hosted at /srv/git/. No Forgejo/GitHub dependency. Git is the interface — no web UI overhead. Commits are deployments.
Identity Provider
🛡️
Authentik
Self-hosted Okta alternative. OIDC/OAuth2/SAML. Google SSO. Forward auth for all internal tools. No per-seat SaaS cost.
AI Orchestration
🤖
Claude Code (Claude Opus/Sonnet)
AI agent runs directly on the server. 37 MCP tools. Can rebuild NixOS, deploy services, write code, and manage infrastructure autonomously.
06 — Engineering Principles

Rules That Don't Bend.

Hard-won rules that prevent the most common failure modes. Every one of these exists because someone — somewhere — learned it the hard way.

01
NixOS-First for All First-Party Code
Every service we write lives as a NixOS systemd unit. Atomic rollbacks, security sandboxing, instant deploys. Docker is reserved for third-party software only.
02
Everything in Git — Always
Configuration drift is the #1 ops killer. Every setting, service definition, and secret (encrypted) lives in the git repo. No manual config changes to /etc/.
03
No Technical Debt — Ever
Build the correct solution from day one. "Good enough for now" becomes "impossible to fix later". Every architectural decision is made for the 10-year horizon.
04
Design System Before Code
Tokens, spacing scale, and typography decided before a single component is written. Six visual polish passes max — then ship. No endless design iteration.
05
CMS from Commit 1
Content is never hardcoded. Every client site has Directus CMS wired from the first deployment. Changing copy never requires a developer.
06
Always Astro — No Exceptions
Client sites are always Astro. No React, no Next.js, no framework churn. Pure HTML output, zero JS overhead unless explicitly opted in. Lighthouse 100 by default.
07
Max Parallelism by Default
AI agents use git worktrees and parallel sub-agents for all independent work. Single-threaded execution is a failure mode, not a safe default.
08
Verify Before Claiming Complete
No feature is "done" until it passes browser testing, health checks, and end-to-end verification. "It should work" is not verification.
09
Hosting Decided Before First Commit
Infrastructure choices locked before coding starts. No mid-project migrations. "We'll figure out hosting later" is how projects die.
07 — AI-Native Operations

Claude Runs the Platform.

This isn't AI as a code autocomplete. Claude Code runs as a persistent agent on the server with direct access to 37 MCP tools — it deploys services, manages infrastructure, writes and tests code, and monitors the platform.

🔧
Platform MCP — 37 Tools
Claude can read/write files, query databases, restart services, rebuild NixOS, check systemd logs, manage Docker, send alerts, and execute bash — all via structured MCP calls.
🖥️
Playwright Bridge
Claude controls a real Chromium browser. Can register for APIs, test UIs, fill forms, take screenshots, and verify deployments — autonomous browser operation.
🚀
cc_dispatch Missions
Long-running tasks are dispatched as isolated Claude Code sessions with full platform access. Parallel missions run in git worktrees to prevent staging conflicts.
📊
AI-Managed Tasks
Vikunja is Claude's operational backbone. Claude creates tasks, closes missions, and updates system state — the platform runs itself with minimal human input.
What Claude can do autonomously
NixOS rebuild + deploy
Add/configure new services
Write and test TypeScript/Go
Manage sops-nix secrets
Cloudflare DNS changes
PostgreSQL schema migrations
Debug + fix failing services
API key registration (via browser)
Client site builds + deploys
Monitor + alert on failures
Directus CMS configuration
Git commit + push operations
08 — Cost Architecture

Cloud Cost. Eliminated.

Running 96 services on equivalent AWS infrastructure would cost $3,000–8,000/month. On dedicated metal, the entire platform runs for under £200/month total.

Total Monthly Cost
€98
per month, locked — all 96 services included
Hetzner AX102 Dedicated Server
€97.70/mo locked price
Cloudflare (DDoS, CDN, DNS, Pages)
Free unlimited sites + bandwidth
Tailscale (VPN overlay)
Free personal plan
Email (Resend)
Free tier
TLS Certificates (Let's Encrypt)
Free auto-renewed
Cloud equivalent estimate: 96 services on AWS/GCP with comparable specs (EC2 + RDS + ElastiCache + S3 + CloudFront + various managed services) would cost approximately $4,000–8,000/month. Self-hosted dedicated delivers a 40–80× cost advantage with full data ownership and no vendor lock-in.
09 — Security Posture

Defence in Depth.

Multiple independent layers of protection. No single point of failure. Security is enforced at the infrastructure level — not left to application code.

🌍
Cloudflare Edge
DDoS protection at Cloudflare's edge. Traffic is scrubbed before reaching the origin. WAF rules block common attack patterns.
🔒
TLS Everywhere
Every service over HTTPS. 2-year HSTS preload on all domains. Caddy auto-renews certificates. No plaintext HTTP anywhere.
🛡️
Authentik Forward Auth
All internal tools gated by Authentik. Even if a service has a bug, Caddy's forward_auth layer blocks unauthenticated access.
🌐
Tailscale Zero-Trust
Admin interfaces only accessible via Tailscale VPN. No SSH exposed to the internet. WireGuard-based with device authentication.
📦
Rootless Containers
Podman Quadlets run without root. A compromised container cannot escalate to host root. Systemd sandboxing on all NixOS services.
🔑
Zero Plaintext Secrets
sops-nix: every secret is age-encrypted before commit. No .env files. No hardcoded credentials. Secrets decrypted only at runtime.
🚫
Bot Scan Blocking
WordPress/admin bot scans aborted at Caddy before reaching upstream. 151+ bot requests/day blocked per vhost. Zero upstream load.
📋
Per-Vhost CSP
Content Security Policy tuned per service. script-src, frame-ancestors, connect-src locked down individually. Not one-size-fits-all.